b'   July 29, 2002\n\n\n\n\nInformation\nSystem Security\nUser Authentication Protection at\nCentral Design Activities\n(D-2002-135)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this evaluation report, visit the home page of the\n  Inspector General of the Department of Defense at www.dodig.osd.mil/audit/reports\n  or contact the Secondary Reports Distribution Unit of the Audit Followup and\n  Technical Support Directorate at (703) 604-8937 (DSN 664-8937) or fax\n  (703) 604-8932.\n\n  Suggestions for Future Evaluations\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                OAIG-AUD (ATTN: AFTS Evaluation Suggestions)\n                   Inspector General, Department of Defense\n                      400 Army Navy Drive (Room 801)\n                          Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nCDA                   Central Design Activity\nDISA                  Defense Information Systems Agency\nFIPS                  Federal Information Processing Standards\nNIST                  National Institute of Standards and Technology\nOMB                   Office of Management and Budget\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2002-135                                                      July 29, 2002\n  (Project No. D2000PT-0121.001)\n\n       User Authentication Protection at Central Design Activities\n\n                                   Executive Summary\n\nWho Should Read This Report And Why? Officials and administrators who are\nresponsible for DoD information systems should read this report. The report explains\nthe extent of transmitting user passwords in plain text while accessing software\ndevelopment environments and the vulnerabilities associated with it.\n\nBackground. A Central Design Activity is defined as a designated organization within\na Component that has responsibility for designing, converting, programming, testing,\ndocumenting, or subsequently maintaining computer operating or applications software\nfor use at more than one location. We evaluated authentication protection at an Army,\na Navy, and an Air Force Central Design Activity.\n\nCentral Design Activities use software development environments to develop and\nmaintain the software for which they are responsible. A software development\nenvironment is an integrated suite of tools to aid the development of software in a\nparticular programming language or for a particular application.\n\nLogging on to the vast majority of computing systems, including software development\nenvironments, is protected by passwords. The person logging on must supply a user\nname plus the password associated with that user name. The system evaluates the\npassword to verify the user\xe2\x80\x99s identity claim. This process is called authentication.\nPassword authentication mechanisms work if passwords are kept secret at all stages.\nDuring a previous evaluation, we confirmed at one central design activity that user\nnames and passwords were transmitted in plain text to software development\nenvironments located at the Defense Information Systems Agency Defense Enterprise\nComputing Centers. Readily available software would permit an attacker to capture the\ntransmitted user name and password for possible unauthorized accesses.\n\nResults. User names and passwords were transmitted in plain text over unsecured\nnetworks on 15 of 26 software development environments at 3 Central Design\nActivities. As a result, the 15 software development environments have an increased\nrisk of unauthorized access, unauthorized changes to DoD software, and loss of\naccountability. In addition, all unclassified DoD systems could be similarly affected.\nAdditional policy was needed to ensure authentication information was protected during\ntransmission over unsecured networks. See the Finding section for the detailed\nrecommendation.\n\n\n\n\n                                            i\n\x0cWe had previously reported a similar problem in DoD Inspector General Report\nNo. D-2000-058 \xe2\x80\x9cIdentification and Authentication Policy\xe2\x80\x9d, December 20, 1999. The\nOffice of the Assistant Secretary of Defense (Command, Control, Communications, and\nIntelligence) had not completed actions to issue policy to address the issue.\n\nManagement Comments. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) concurred with the recommendation and stated that\ninformation assurance policy will be updated to require unclassified and classified\nsystems protect authentication information during transmission by including it in the\nnew information assurance DoD Instruction 8500.bb. A discussion of management\ncomments is in the Finding section of the report and the complete text is in the\nManagement Comments section.\n\nEvaluation Response. The Assistant Secretary of Defense (Command, Control,\nCommunications, and Intelligence) comments were responsive. We request that the\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nprovide additional comments by September 24, 2002, on when the proposed policy\nupdates will be available to review for consistency with standards and guidance from\nthe National Institute of Standards and Technology.\n\n\n\n\n                                          ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\n\nBackground                                                               1\n\n\nObjective                                                                2\n\n\nFinding\n     Authentication Vulnerability                                        3\n\nAppendixes\n     A. Scope and Methodology                                             9\n          Prior Coverage                                                  9\n     B. Military Department Central Design Activities                    11\n     C. Report Distribution                                              12\n\nManagement Comments\n     Assistant Secretary of Defense (Command, Control, Communications,\n       and Intelligence)                                                 15\n\x0cBackground\n    In Inspector General of the Department of Defense Report No. D-2001-046,\n    \xe2\x80\x9cEvaluation of Information Assurance at Central Design Activities,\xe2\x80\x9d February\n    7, 2001, we confirmed at a Defense Agency central design activity (CDA) that\n    user names and passwords were transmitted in plain text over unsecured\n    networks to software development environments. Readily available software\n    would permit an attacker to capture the transmitted user name and password for\n    possible unauthorized accesses. Because of concern about security issues we\n    expanded our review to the Military Departments.\n\n    Central Design Activities. A CDA is defined as a designated organization,\n    within a DoD Component, that has responsibility for designing, converting,\n    programming, testing, documenting, or subsequently maintaining computer\n    operating or applications software for use at more than one location. The\n    Army, the Navy, and the Air Force have a total of 17 CDAs. See Appendix B\n    for the CDA list.\n\n    For this evaluation, we visited the Software Engineering Center - Meade (Army)\n    and the Fleet Material Support Office (Navy). We collected information\n    assurance data from these CDAs and from the Materiel Systems Group (Air\n    Force). Other DoD agencies have CDAs also. The Marine Corps, the Defense\n    Finance and Accounting Service, the Director for Information and Technology,\n    and the Defense Logistics Agency list CDA organizations.\n\n           Software Engineering Center - Meade. The Software Engineering\n    Center \xe2\x80\x93 Meade in Fort Meade, Maryland, is a direct reporting unit of the\n    Software Engineering Center, Communications and Electronics Command,\n    U.S. Army Materiel Command. The Software Engineering Center \xe2\x80\x93 Meade has\n    76 employees and provides life-cycle support of software products.\n\n            Fleet Material Support Office. The Fleet Material Support Office in\n    Mechanicsburg, Pennsylvania, is a major field organization of the Naval Supply\n    Systems Command. The Fleet Material Support Office has more than 900\n    employees and provides information technology products and services to the\n    Navy, DoD, and other Federal organizations. Their systems integrate supply,\n    financial, maintenance, procurement, and other logistics functions through\n    networks, telecommunications, and interrelated databases.\n\n           Materiel Systems Group. The Materiel Systems Group, Wright-\n    Patterson Air Force Base, Ohio, is a direct reporting unit of the Electronic\n    Systems Center, Air Force Materiel Command. The Materiel Systems Group\n    supports the Air Force information goals through acquiring, developing,\n    maintaining, reengineering, and providing technical services for information\n    systems. The Materiel Systems Group has 576 employees and manages more\n    than 160 of the Air Force Materiel Command\xe2\x80\x99s logistics information systems.\n\n    Software Development Environments. Central Design Activities use software\n    development environments to develop and maintain the software for which they\n\n                                       1\n\x0c    are responsible. A software development environment is an integrated suite of\n    tools to aid the development of software in a particular programming language\n    or for a particular application. A software development environment includes\n    the facilities, networks, hardware, software, firmware, procedures, and\n    documentation needed to perform software engineering. The software may\n    include programming tools, documentation tools, debugging tools, test tools,\n    source code management tools, and database management systems.\n\n    System User Authentication. Logging on to the vast majority of information\n    systems, including software development environments, is protected by\n    passwords. The person logging on must supply a user name plus a password\n    associated with that user name. The system evaluates the password to verify the\n    user\xe2\x80\x99s identity claim. This process is called authentication. Password\n    authentication works when the passwords are kept secret at all stages. Secrecy\n    can be lost when passwords are entered, transmitted, and stored. When\n    passwords are transmitted in plain text, they are vulnerable to electronic\n    eavesdropping.\n\n    Prior Audit Coverage. Inspector General of the Department of Defense\n    Report No. D-2000-058, \xe2\x80\x9cIdentification and Authentication Policy,\xe2\x80\x9d\n    December 20, 1999, references the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) memorandum on \xe2\x80\x9cYear 2000 and\n    the Importance of Adherence to Department of Defense Information Security\n    Policy,\xe2\x80\x9d May 5, 1999. The memorandum recommended that all personnel\n    using DoD systems comply with the guidance in AI-26, chapter 11, and\n    particularly section 5.1.1. We used the referenced AI-26 guidance to determine\n    whether security policies of various DoD Components were uniform. Of the 18\n    AI-26 identification and authentication requirements evaluated, none addressed\n    the vulnerability of transmitting passwords in plain text or set requirements for\n    password protection while being transmitted for logon. The results illustrated\n    wide discrepancies between the various policies, which highlighted the need for\n    uniform DoD requirements for identification and authentication controls. The\n    report recommended the Assistant Secretary of Defense (Command, Control,\n    Communications, and Intelligence) develop interim guidance to establish\n    minimum security requirements covering identification and authentication, and\n    accelerate the reissuance of a governing DoD directive. The extended time\n    needed to coordinate DoD guidance to address the issues has delayed\n    implementation of the recommendations.\n\nObjective\n    The objective of this evaluation was to assess the extent of the transmission of\n    software development environment user names and passwords in plain text and\n    how this vulnerability was addressed.\n\n\n\n\n                                        2\n\x0c            Authentication Vulnerability\n            At the three CDAs we evaluated, the user names and passwords were\n            transmitted over unsecured networks to their software development\n            environment hosts. The CDAs reported that in 15 of 26 software\n            development environments, the user passwords were transmitted in plain\n            text. Passwords were transmitted in plain text because DoD information\n            assurance policy did not require protection of authentication information\n            during transmission to unclassified systems and did not require National\n            Institute of Standards and Technology security guidance to be followed,\n            as required by Office of Management and Budget Circular No. A-130.\n            As a result, the 15 software development environments have an increased\n            risk of unauthorized access, unauthorized changes to DoD software, and\n            loss of accountability. In addition, because of the lack of explicit DoD\n            policy on this matter, all unclassified DoD systems could be similarly\n            affected.\n\nVulnerability, Threat, and Safeguard\n     The concepts of vulnerability, threat, and safeguard make up a framework for\n     thinking about computer security. Vulnerability is a weakness of a system that\n     would allow system security to be violated. A threat is a circumstance or event\n     that could cause harm by violating security. A threat often exploits a\n     vulnerability. A safeguard is any technique, procedure, or other measure that\n     reduces vulnerability. Some threats aim at safeguards such as passwords.\n\n     Reliable authentication mechanisms are critical to the security of any automated\n     information system. In the past, it was relatively easy to protect computer\n     systems because they were typically installed in centralized computing facilities.\n     Because the terminals used to access the computer were usually in the same\n     building, only those persons having physical access to the building had use of\n     the terminals. However, this level of physical control is no longer viable\n     because of the proliferation of networked computer systems. Networking makes\n     it more difficult to identify system users and increases opportunities for\n     unauthorized parties to eavesdrop on legitimate user and remote host computer\n     sessions. User passwords were sometimes transmitted through the network in\n     plain text form. If an attacker were able to eavesdrop on the user\xe2\x80\x99s session, the\n     attacker could record the user\xe2\x80\x99s password or other critical authentication data.\n     The attacker could pose as a valid user by logging on the remote host using the\n     recorded authentication data.\n\n     Monitoring network information is called \xe2\x80\x9csniffing.\xe2\x80\x9d Software is readily\n     available for monitoring network traffic, primarily for the purpose of network\n     performance management and problem diagnosis. The same software is often\n     quite effective for capturing passwords during network transmissions.\n     Unauthorized sniffers can be extremely dangerous to network security because\n     they are virtually impossible to detect and can be inserted almost anywhere in\n     the network. Attempts to use firewalls to solve these security problems assume\n     that \xe2\x80\x9cthe bad guys\xe2\x80\x9d are on the outside, which is often a wrong assumption.\n\n                                         3\n\x0c    Insiders carry out most of the seriously damaging incidents of computer crime.\n    Some systems apply a cryptographic algorithm to scramble (encrypt) the\n    password before transmission so that the plain text password is not exposed.\n    However, an attacker could record the encrypted password and use it to gain\n    access to the host computer. In either case, the host computer cannot\n    distinguish between the attacker and a valid user, and access is granted.\n\n    One-time password technology uses passwords that, if intercepted, cannot be\n    used for future access. One approach to one-time passwords is to have the\n    remote host provide challenge information, such as a word for one-time use,\n    when an authorized user connects. The challenge information and user\n    password are plugged into an algorithm, which generates the response that the\n    remote host verifies. With this approach, the password is never transmitted\n    over the network, nor is the challenge used twice. Some approaches use\n    passwords combined with time slots and a time synchronized host. Others use a\n    card system with stored numbers and the remote host uses a matching list of\n    numbers.\n\nUser Name and Password Transmissions\n    At the three CDAs we evaluated, the user names and passwords were\n    transmitted over unsecured networks to their software development environment\n    hosts. The CDAs reported that in 15 of 26 software development environments,\n    the user passwords were transmitted in plain text. Of the 11 software\n    development environments with protected logon passwords, 10 used encryption\n    features provided by the commercial software tools in their software\n    development environments. One development project used a separate and\n    dedicated network to mitigate the plain text password risk sufficiently and was\n    considered adequately protected. Other risk reduction approaches, such as\n    switched networks and firewalls, were not sufficient to protect the plain text\n    passwords from an insider attack. One-time passwords from a smart card,\n    token, or encrypted challenge/response dialog offered increased protection\n    because the transmitted password was good for just one use. These solutions\n    were only granted to privileged users such as system programmers, network\n    administrators, and database administrators.\n\n    Transmitting logon passwords in plain text to the host computer was not unique\n    to software development environments. The DISA Field Security Office and the\n    Defense Enterprise Computing Center at Mechanicsburg observed that most\n    system user logon passwords were transmitted in plain text.\n\n    The National Bureau of Standards, now known as the National Institute of\n    Standards and Technology (NIST), identified the vulnerability of passwords\n    transmitted in plain text over unsecured networks in the Federal Information\n    Processing Standards (FIPS) Publication 83, \xe2\x80\x9cGuideline on User Authentication\n    Techniques for Computer Network Access Control,\xe2\x80\x9d September 1980. They\n    warned of wiretapping and electronic eavesdropping and recommended a\n    process that encrypted passwords differently each time the encryption process\n    was used. FIPS Publication 190, \xe2\x80\x9cGuideline for the Use of Advanced\n    Authentication Technology Alternatives,\xe2\x80\x9d September 1994 and NIST Special\n    Publication 800-12, \xe2\x80\x9cAn Introduction to Computer Security: The NIST\n\n                                       4\n\x0c    Handbook,\xe2\x80\x9d October 1995 both contain extensive information on the password\n    transmission vulnerability and possible safeguards. The threat was described as\n    electronic monitoring and the safeguards were updated to include authentication\n    tokens and biometrics. Since 1980, the message has been that organizations\n    should protect authentication data transmitted over public or unsecured\n    networks.\n\nInformation Assurance Requirements and Guidance\n    Federal Policy. Office of Management and Budget (OMB) Circular\n    No. A-130, February 8, 1996, establishes policy for the management of Federal\n    information resources. Circular No. A-130 states that agencies will protect\n    Government information commensurate with the risk and magnitude of harm\n    that could result from the loss, misuse, or unauthorized access to, or\n    modification of, information. Circular No. A-130 tasks the Secretary of\n    Commerce to develop and issue Federal Information Processing Standards\n    (FIPS) and guidelines for Government information technology. Circular\n    No. A-130 requires agencies to use Federal Information Processing Standards\n    where appropriate or required. Appendix III of Circular No. A-130, \xe2\x80\x9cSecurity\n    of Federal Automated Information Resources,\xe2\x80\x9d states that agencies shall\n    implement and maintain a program to assure that adequate security is provided\n    for all agency information in general support systems and major applications.\n    Each agency\xe2\x80\x99s program shall implement policies, standards, and procedures that\n    are consistent with Government-wide policies, standards, and procedures issued\n    by the Office of Management and Budget, the Department of Commerce, and\n    General Services Administration, and the Office of Personnel Management.\n    Appendix III further states that agencies should assure that each system\n    appropriately uses effective security products and techniques, consistent with\n    standards and guidance from NIST. The November 30, 2000, update to\n    Circular No. A-130 requires the agency annual Information Technology Capital\n    Plan to explain any planned or actual variance from NIST security guidance.\n\n    DoD Policy. The primary DoD information assurance policy is DoD Directive\n    5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information Systems,\xe2\x80\x9d March\n    1988. DoD Directive 5200.28 states that unclassified information in automated\n    information systems shall be safeguarded against tampering, loss, and\n    destruction, and shall be available when needed. DoD Directive 5200.28\n    references OMB Circular No. A-130 for suggested safeguards for unclassified\n    information but includes no references to Federal Information Processing\n    Standards or requirements to implement NIST security guidance. The minimum\n    safeguards for automated information systems that process classified and\n    sensitive unclassified information require the positive identification of each user\n    before authorizing access to the system. The policy does not establish a baseline\n    for protection of authentication information when used to logon to hosts over\n    unsecured networks.\n\n    Air Force Manual 33-223, \xe2\x80\x9cIdentification and Authentication,\xe2\x80\x9d June 1998 was\n    the only Component policy to address the transmission of passwords. The\n    manual states:\n\n                                         5\n\x0c               Protect passwords during transmission at the same level required for\n               the system or data the password is protecting. Passwords are\n               typically sent from a terminal to the system by a communication line.\n               Unless the line is physically protected or encrypted, the password is\n               vulnerable to disclosure by wiretapping and/or sniffers. Prevent this\n               vulnerability by electronic protection or password encryption.\n               Increasing the password length and changing it more often can\n               mitigate this vulnerability.\n\n    The policy discusses the transmission vulnerability but is not clear about\n    protecting passwords.\n\n    The DoD Chief Information Officer Guidance and Policy Memorandum 6-8510,\n    \xe2\x80\x9cDepartment of Defense Global Information Grid Information Assurance,\xe2\x80\x9d\n    June 2000 sets user access to mission support or administrative data at the basic\n    robustness level. Basic robustness is equivalent to good commercial practice\n    and is the lowest level of security services described in Memorandum 6-8510.\n    The basic robustness level of authenticated access control includes digital\n    signature (public key encryptography based), challenge/response identification\n    and authentication, or preplaced keying material. Although the memorandum\n    has expired, it is still being used and it shows the intended direction for DoD\n    information assurance policy.\n\nUnprotected Transmission of Authentication Information\n    The GAO/AIMD-98-274 report, \xe2\x80\x9cFinancial Management, Improvements\n    Needed in Air Force Vendor Payment Systems and Controls,\xe2\x80\x9d September 1998\n    identified systems that are vulnerable to penetration by unauthorized internal\n    users because vendor payment system passwords and user names are transmitted\n    across the local network and communication links in plain text. Readily\n    available software would permit any user to read vendor payment system\n    passwords and user names. Thus, a clerk could obtain the passwords and user\n    names of employees with higher access and use this information to enter the\n    vendor payment system and perform all payment processing functions.\n    Technological controls could be used to improve user authentication procedures,\n    such as a smart card.\n\n    The June 7, 2001, Security Wire Digest reports that an attacker gained access to\n    the server of a commercial software development organization and accessed\n    their source code repositories. Security specialists and administrators\n    determined the extent of the intrusion, repaired the damage, and brought the\n    server back online. There was no evidence that any code was affected. The\n    attacker had subverted the client code at a remote site and captured the logon\n    name and password of a user who logged onto the server. Once the attacker\n    was accepted as an authorized user, the attacker used a weakness of the server\n    system to gain root privileges. At that point, the attacker modified the client\n    and server systems to record user names and passwords. Some insider\n    knowledge may have helped the attacker select the remote site and modify the\n    systems.\n\n\n\n                                            6\n\x0c    It has long been recognized that the greatest harm to systems and their data has\n    come from authorized individuals engaged in improper activities, whether\n    intentional or accidental. In every system, a number of technical, operational,\n    and management controls are used to prevent and detect harm. Such controls\n    include individual accountability. Accountability is normally accomplished by\n    identifying and authenticating users of the system and subsequently tracing\n    actions on the system to the user who initiated them. If an attacker\n    impersonates an authorized user, accountability will identify the authorized user,\n    not the attacker. The attacker could make unauthorized changes to the system\n    or the data.\n\n\n\nSummary\n    When user names and passwords are transmitted over unsecured networks in\n    plain text, they are vulnerable to electronic eavesdropping. This vulnerability\n    has been a known security risk for years and solutions are available. However,\n    15 of 26 software development environments we reviewed continue to operate\n    with this vulnerability. NIST security standards address this vulnerability, and\n    the OMB Circular No. A-130 requires the use of these standards in Federal\n    agency information assurance programs. However, DoD policies do not\n    reference or require compliance with NIST security standards and do not require\n    protection of the passwords when transmitted to unclassified hosts. The\n    unprotected user name and password can be captured and used to impersonate\n    the authorized user for unauthorized access to the system, and could result in\n    unauthorized changes to the system or the data. In addition, because of the lack\n    of explicit DoD policy on this matter, all unclassified DoD systems could be\n    similarly affected.\n\nRecommendation, Management Comments, and Evaluation\n  Response\n    We recommend that the Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) update DoD information\n    assurance policy to require unclassified systems to protect authentication\n    information during transmission over unsecured networks and to use\n    security products and techniques that are consistent with standards and\n    guidance from the National Institute of Standards and Technology.\n\n    Management Comments. The Assistant Secretary of Defense (Command,\n    Control, Communications, and Intelligence) (ASD[C3I]) concurred with the\n    recommendation and stated that information assurance policy will be updated in\n    the new DoD Instruction 8500.bb by including the requirement for unclassified\n    as well as classified systems to protect authentication information during\n    transmission. Specifically, the new DoD Instruction 8500.bb will incorporate\n    words to protect authentication information during transmission \xe2\x80\x9cboth as a\n\n                                        7\n\x0cresponsibility of users and in the appropriate controls relating to the treatment of\nindividual identification and authentication.\xe2\x80\x9d\n\nEvaluation Response. The ASD(C3I) comments are responsive. In response to\nthe final report, we request that the ASD(C3I) provide dates when the proposed\npolicy updates will be available to review for consistency with standards and\nguidance from the National Institute of Standards and Technology.\n\n\n\n\n                                     8\n\x0cAppendix A. Scope and Methodology\n    Work Performed. We evaluated authentication protection in 26 software\n    development environments at 3 Central Design Activities. We developed two\n    questionnaires, one to be used for each software development environment and\n    the other to determine the security policies and procedures in effect for the\n    organizations. We collected answers to the policy questionnaire from all\n    organizations that we contacted during this evaluation. The software\n    development environment questionnaires were collected from the Central Design\n    Activities that we contacted. We also reviewed relevant policy at the Federal,\n    DoD, and Services levels.\n    We analyzed the questionnaire results, documents, and referenced web sites.\n    We reviewed prior audit and evaluation reports for related coverage.\n\n    Limitations to Scope. We did not review the management control program\n    related to the evaluation objective because DoD has recognized Information\n    Assurance as a material management control weakness area since the FY 1999\n    Annual Statement of Assurance.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Management and Technology high-risk area.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this evaluation.\n\n    Evaluation Type, Dates, and Standards. We performed this evaluation from\n    September 2000 through December 2001 in accordance with standards\n    implemented by the Inspector General, DoD. Our scope was limited in that we\n    did not include tests of management controls.\n\n    Contacts During the Evaluation. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\nPrior Coverage\n    During the past 5 years, the General Accounting Office and the Inspector\n    General of the Department of Defense issued reports that discussed the\n    vulnerability of transmitted passwords and information assurance policy.\n\n    General Accounting Office\n    GAO Report No. GAO/AIMD-98-274, \xe2\x80\x9cFinancial Management, Improvements\n    Needed in Air Force Vendor Payment Systems and Controls,\xe2\x80\x9d September 1998\n\n\n\n\n                                       9\n\x0cInspector General of the Department of Defense (IG DoD)\nIG DoD Report No. D-2000-124, \xe2\x80\x9cInformation Assurance Challenges\xe2\x80\x94A\nSummary of Audit Results Reported December 1, 1998, through March 31,\n2000,\xe2\x80\x9d May 15, 2000\n\nIG DoD Report No. D-2000-058, \xe2\x80\x9cIdentification and Authentication Policy\xe2\x80\x9d,\nDecember 20, 1999\n\nIG DoD Report No. 99-069, \xe2\x80\x9cSummary of Audit Results\xe2\x80\x94DoD Information\nAssurance Challenges,\xe2\x80\x9d January 22, 1999\n\nUnrestricted Inspector General of the Department of Defense reports can be\naccessed over the Internet at http://www.dodig.osd.mil/audit/reports.\n\n\n\n\n                                  10\n\x0cAppendix B. Military Department Central\n            Design Activities\n\nCentral Design Activities\n     For the purpose of this evaluation, a Central Design Activity (CDA) is defined\n     as a designated organization, within a DoD Component, that has responsibility\n     for designing, converting, programming, testing, documenting, or subsequently\n     maintaining computer operating or applications software for use at more than\n     one location.\n     Although each Military Department\xe2\x80\x99s definition of a CDA may vary slightly\n     from the definition above, they each identified their CDAs (see table below) and\n     noted that they had other software development groups that were not CDAs.\n     Those other software development groups are not considered CDAs because\n     they support software only for the business area organization they belong to, as\n     opposed to more than one location as our definition of CDAs requires.\n\n      Military Department Central Design Activities\n\n      Army\n      Army Total Personnel Command\n      Industrial Logistics Systems Center\n      Logistics Systems Support Center\n      Software Engineering Center \xe2\x80\x93 Belvoir\n      Software Engineering Center - Lee\n      Software Engineering Center \xe2\x80\x93 Meade\n\n      Navy\n      Bureau of Naval Personnel\n      Fleet Material Support Office\n      Naval Aviation Depot Operations Center\n      Naval Computer and Telecommunications Area Master Station, Atlantic\n      Naval Computer and Telecommunications Station, Jacksonville\n      Naval Computer and Telecommunications Station, Pensacola\n      Naval Computer and Telecommunications Station, Washington\n      Naval Education and Training Professional Development and Technology Center\n      Naval Reserve Information Systems Office\n\n      Air Force\n      Materiel Systems Group\n      Standard Systems Group\n\n\n\n\n                                         11\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Deputy Assistant Secretary of Defense, Deputy Chief Information Officer\n  Deputy Assistant Secretary of Defense, Security and Information Operations\n      Director, Infrastructure and Information Assurance\n      Director, Policy Integration and Operations\n\nJoint Staff\nDirector, Joint Staff\n   Director, Operations\n   Director, Command, Control, Communications, and Computers\n\nDepartment of the Army\nCommanding General, Army Communications and Electronics Command\n  Commander, Software Engineering Center - Meade\nAuditor General, Department of the Army\n\nDepartment of the Navy\nCommander, Naval Supply Systems Command\n  Commanding Officer, Fleet Material Support Office\nNaval Inspector General\nAuditor General, Department of the Navy\n\n\n\n\n                                        12\n\x0cDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nCommander, Air Force Materiel Command\n   Executive Director, Materiel Systems Group\nInspector General, Department of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\n   Commander, Defense Information Systems Agency Western Hemisphere\n\nNon-Defense Federal Organizations\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         13\n\x0c\x0cAssistant Secretary of Defense (Command,\nControl, Communications, and Intelligence)\nComments\n\n\n\n\n                   15\n\x0c\x0cTEAM MEMBERS\nThe Audit Followup and Technical Support Directorate, Office of the Assistant\nInspector General for Auditing of the Department of Defense prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense who\ncontributed to the report are listed below.\n\n\nDavid A. Brinkman\nKenneth H. Stavenjord\nPeter C. Johnson\n\n\n\n\n                                         17\n\x0c'